Setup L2TP

Configure L2TP Server

Set Server Address to an unused private subnet IP, such as 192.168.32.1

NOTE: This is not a public IP address or "listen" IP for the L2TP service, it is a local IP address set as the "gateway" on the clients

Set Remote Address Range to an unused private subnet, such as 192.168.32.128

Set Subnet Mask to an appropriate value for the client address range, such as 25

Set Number of L2TP Users to the highest concurrent number of expected L2TP users, such as 8

Leave Secret blank

Set Authentication Type to CHAP

Set 'L2TP DNS Servers as needed, or leave blank

Set RADIUS options if desired

Add L2TP Users

If RADIUS is not being used, add L2TP users to pfSense.

Navigate to VPN > L2TP, Users tab

Click To add a new user

Fill in Username, Password/Confirmation

Set a static IP address if needed, in the chosen subnet

Click Save

Repeat as needed for additional users.

Setup IPsec

With the L2TP server prepared, the next task is to configure the necessary IPsec settings. The settings below have been tested and found to work, but other similar settings may function as well. Feel free to try other encryption algorithms, hashes, etc. Report any additional combinations found to work or not work on the forum.

Mobile Clients Tab

Navigate to VPN > IPsec, Mobile Clients tab on pfSense

Check Enable IPsec Mobile Client Support

Set User Authentication to Local Database (Not used, but the option must have something selected)

Uncheck Provide a virtual IP address to clients

Uncheck Provide a list of accessible networks to clients

Click Save

Phase 1

Click the Tunnels Tab

Check Enable IPsec

Click Save

Click the Create Phase1 button at the top if it appears, or edit the existing Mobile IPsec Phase 1

If there is no Phase 1, and the Create Phase1 button does not appear, navigate back to the Mobile Clients tab and click it there.

Set Key Exchange version to v1

Enter an appropriate Description

Set Authentication method to Mutual PSK

Set Negotiation Mode to Main

Set My Identifier to My IP address

Set Encryption algorithm to AES 256

Set Hash algorithm to SHA1

Set DH key group to 14 (2048 bit)

NOTE: iOS and other platforms may work with a DH key group of 2 instead.

Set Lifetime to 28800

Uncheck Disable Rekey

Uncheck Disable Reauth

Set NAT Traversal to Auto

Check Enable DPD, set for 10 seconds and 5 retries

Click Save

Phase 2

Click to show the Mobile IPsec Phase 2 list

Click to add a new Phase 2 entry if one does not exist, or click to edit an existing entry

Set Mode to Transport

Enter an appropriate Description

Set Protocol to ESP

Set Encryption algorithms to ONLY AES 128

Set Hash algorithms to ONLY SHA1

Set PFS Key Group to off

Set Lifetime to 3600

Click Save

Pre-Shared Key

With the IPsec tunnel itself ready, now the pre-shared key must be configured in a special way, which is common for all clients.

Navigate to VPN > IPsec, Pre-Shared Keys tab on pfSense

Click to add a new PSK

Set the Identifier to allusers

NOTE: The "allusers" name is a special keyword used by pfSense to configure a wildcard PSK, which is necessary for L2TP/IPsec to function. Do not use any other Identifier for this PSK!

Set Secret Type to PSK

Enter a Pre-Shared Key, such as aaabbbccc -- ideally one a lot longer and more random/secure than this example!

Click Save

Click Apply Changes

Firewall Rules and NAT

Firewall rules are necessary to pass traffic from the client host over IPsec to establish the L2TP tunnel, and inside L2TP to pass the actual tunneled VPN traffic to systems across the VPN.

IPsec Rules

Navigate to Firewall > Rules, IPsec tab

Review the current rules. If there is an "allow all" style rule, then there is no need to add another. Continue to the next task.

Click to add a new rule

Set the Protocol to any, and set the Source and Destination to any as well

NOTE: This does not have to pass all traffic, but must at least pass L2TP (UDP port 1701) to the WAN IP address of the firewall

Click Save

Click Apply Changes

L2TP Rules

Navigate to Firewall > Rules, L2TP VPN tab

Review the current rules. If there is an "allow all" style rule, then there is no need to add another. Continue to the next task.

Click to add a new rule

Set the Protocol to any, and set the Source and Destination to any as well

NOTE: This does not have to pass all traffic, stricter rules are possible to limit where clients can go

Click Save

Click Apply Changes

Outbound NAT

If clients must pass over the VPN and then back out to the Internet, outbound NAT will most likely be necessary.

Navigate to Firewall > NAT, Outbound tab

Check the rules and see if they will apply to L2TP clients. In automatic or hybrid modes, the L2TP subnet should be listed in the automatic rules section.

Add rule(s) to cover the L2TP clients if Manual Outbound NAT is enabled and none are present.

DNS Configuration

If DNS servers are supplied to the clients, and if the Unbound DNS Resolver is used, then the subnet chosen for the L2TP clients must be added to its access list.

Navigate to Services > DNS Resolver, Access Lists tab

Click to add a new access list

Enter an Access List Name, such as VPN Users

Set Action to Allow

Click under Networks to add a new network

Enter the VPN client subnet into the Network box, e.g. 192.168.32.128

Choose the proper CIDR, e.g. 25

Click Save

Click Apply Changes

Client Setup

Windows

Now it is time to create the client VPN connection. There are several ways to add such a connection, depending on the version of Windows being used. Adapt as needed.

Open Network and Sharing Center on the client PC

Click Set up a new connection or network

Select Connect to a workplace

Click Next

Select No, create a new connection

Click Next

Click Use my Internet Connection (VPN)

Enter the IP address or hostname of the server into the Internet address field

Enter a Destination Name to identify the connection

Click Create

The connection has been added but with several undesirable defaults. For example the type defaults to automatic and it will latch onto a PPTP connection if one exists, which is very bad. So a few settings should be set by hand first:

In Network Connection / Adapter Settings in Windows, find the connection created above

Right click the connection

Click Properties

Click the Security tab

Set Type of VPN to Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec)

Click Advanced settings

Select Use preshared key for authentication

Enter the Key used above, e.g. aaabbbccc

Click OK

Set Data Encryption to Require Encryption (disconnect if server declines)

Set Authentication / Allow these protocols to Challenge Handshake Authentication Protocol (CHAP) -- set to match the value chosen in L2TP

Click OK

Try it Out

It should now be possible to connect to the VPN

Troubleshooting

Firewall traffic blocked outbound

If the firewall logs show traffic blocked "out" on L2TP, then add a floating firewall rule to work around the block: